What do you see on this header? .... this is the header of a spam message, sent from one account on cpanel server, account is XXXX@YYYYYYY.com ... helo name of the machine is known (serach on google, you found lot of this same id) WIN-QR1R9GS1KDE .... and what really weird, is that it uses DOVEVOT_PLAIN login, as well as TLS ... not a normal spam on port 25...

One thing is that... this user, uses google (gmail) with this account to send mail.

WHERE exactly is the problem?
HOW could the attacker/spammer, able to login ... the password was impossible to guess, and client dont even uses that password, because its linked to gmail, so YES, password was "saved" on gmail... and gmail account is using that authenticated token, that any new device, needs that token to login, so double security....

Now.... someone cracked google? ... how is possible that someone got that SMTP information from google account? is the only place where is stored.

I also see weird why its dovecot auth, instead of normal smtp auth, but maybe its just like this cause the spammer just does it the way google does it... or maybe the spammer fakes being google to have pre-authenticated and able to send spam?...

SMTP authentication is required even if the sender is using Google. The "Send mail as" feature in GMail requests the SMTP authentication details for this purpose. Is it possible the user's google account was compromised (either through brute force or a virus)? Do the sent emails show up in the clients email client? Were you able to find additional information about the email deliveries in /var/log/exim_mainlog?